2.6.2 Signature Checking Using GnuPG

Another method of verifying the integrity and authenticity of a
package is to use cryptographic signatures. This is more
reliable than using MD5
checksums, but requires more work.

We sign MySQL downloadable packages with
GnuPG (GNU Privacy Guard).
GnuPG is an Open Source alternative to the
well-known Pretty Good Privacy (PGP) by Phil
Zimmermann. See http://www.gnupg.org/ for more
information about GnuPG and how to obtain and
install it on your system. Most Linux distributions ship with
GnuPG installed by default. For more
information about GnuPG, see
http://www.openpgp.org/.

To verify the signature for a specific package, you first need
to obtain a copy of our public GPG build key, which you can
download from http://pgp.mit.edu/. The key that
you want to obtain is named
mysql-build@oss.oracle.com. Alternatively,
you can cut and paste the key directly from the following text:

After you have downloaded and imported the public build key,
download your desired MySQL package and the corresponding
signature, which also is available from the download page. The
signature file has the same name as the distribution file with
an .asc extension, as shown by the examples
in the following table.

Table 2.1 MySQL Package and Signature Files for Source files

File Type

File Name

Distribution file

mysql-standard-5.0.96-linux-i686.tar.gz

Signature file

mysql-standard-5.0.96-linux-i686.tar.gz.asc

Make sure that both files are stored in the same directory and
then run the following command to verify the signature for the
distribution file:

shell> gpg --verify package_name.asc

If the downloaded package is valid, you will see a "Good
signature" similar to:

That is normal, as they depend on your setup and configuration.
Here are explanations for these warnings:

gpg: no ultimately trusted keys found:
This means that the specific key is not "ultimately trusted"
by you or your web of trust, which is okay for the purposes
of verifying file signatures.

WARNING: This key is not certified with a trusted
signature! There is no indication that the signature belongs
to the owner.: This refers to your level of trust
in your belief that you possess our real public key. This is
a personal decision. Ideally, a MySQL developer would hand
you the key in person, but more commonly, you downloaded it.
Was the download tampered with? Probably not, but this
decision is up to you. Setting up a web of trust is one
method for trusting them.

See the GPG documentation for more information on how to work
with public keys.